Active Directory and Squid – Planning for Large Networks with 7000+ Users

active-directorylinuxnetworkingsquid

We have about 1600 active nodes and 6000 students in our network and we have a great Cisco backbone, we have 8 faculties (they have sites and wireless access points) and 10 centers like hospital.
We need to organize our network with MS AD, in the first step having a root AD with a powerful server can be our solution but to our research I think we need a hierarchical AD, we should have a forest (shahed.ac.ir) and 18 trees for sub-centers (like: eng.shaed.ac.ir) .
Also we are going to use squid server for caching and its delay pools to share internet (40mb) and NTLM authentication.
What do you think of this plan? Can this solution be appropriate for our network?
We need to have a LOM for this solution (AD), what is the most important thing for this plan (cpu, ram, hard … of servers)? (We are going to buy HP DL380)
Please help me.

Best Answer

You don't want, and likely don't need multiple Active Directory domains to manage. Basically, you always want to avoid multi-domain AD deployments if you can help it. (And you really want to avoid multi-forest deployments...)

In a Windows 2000 or Windows 2003 Active Directory, one used multiple domains when there were different groups of users who needed different password policies. Windows 2008 Active Directory can have granular password policies and eliminates this need.

In Windows 2000 - 2008 Active Directory, using multiple domains to partition the AD database into smaller units of replication is also a valid reason. An Active Directory with under 10,000 users isn't really all that large. You likely don't need to use multiple domains for partitioning of replication.

Having usernames read a certain way (i.e. user@shahed.ac.ir versus user@eng.shaed.ac.ir) can be accomplished in a single domain with alternative User Principal Name (UPN) suffixes and isn't a valid reason for deploying a multi-domain infrastructure.

Using Squid and NTLM authentication is a perfectly valid solution for authenticating Internet access. Sizing of your Squid server computers and Active Directory domain controller computers isn't something that Server Fault can reasonably do with the information you've given above. Microsoft has an Active Directory Sizing Tool, but it hasn't been updated in several years (either for updated versions of Windows or updated server hardware specs).

Related Solutions

Windows Active Directory – Command Line to List Users in a Group

try

dsget group "CN=GroupName,DC=domain,DC=name,DC=com" -members

Linux – the best solution for traffic control in a large system (ca. 2000 users)

I'm not sure how interested you are in reconfiguring your entire setup (i.e., replace Debian), or how feasible it would be to place something like this behind your gateway, but FreeBSD has a feature in ipfw known as dummynet. Since it sounds like you don't feel like getting a dedicated hardware traffic shaper, this may be an option for you. We currently use it to choke SMTP traffic inbound and outbound through one of our proxy gateways to keep an aging NFS backend system from being overwhelmed and subsequently becoming unresponsive.

With some scripting and intelligent configuration of your rulesets, it would be feasible to be able to traffic control thousands of individual IP addresses.

Best Answer

Related Solutions

Windows Active Directory – Command Line to List Users in a Group

Linux – the best solution for traffic control in a large system (ca. 2000 users)

Related Topic